DPDPA 2023DPDP Rules 2025DPIACross Border TransferConsent
AMLEGALS / Services / Data Privacy
Specialized Practice

Data Privacy & DPDPA

The Digital Personal Data Protection Act 2023 carries a maximum penalty of INR 250 crore, and that number is the real price of getting compliance wrong.

India enacted the Digital Personal Data Protection Act on 11 August 2023, the Rules were notified on 13 November 2025 and the Act is in full force from 13 May 2027.
10
Offices across India
6
Focus areas within this practice
What we cover

Key practice areas

The Digital Personal Data Protection Act 2023 carries a maximum penalty of INR 250 crore, and that number is the real price of getting compliance wrong.

01

DPDPA Implementation

Comprehensive implementation covering gap assessment, consent architecture, privacy notices, data principal rights mechanisms, grievance redressal, and compliance documentation. We build programmes that work in practice, not just on paper.

02

Privacy Impact Assessments

Data Protection Impact Assessments for new products, services, and processing activities. Identification and mitigation of privacy risks before they become compliance failures.

03

DPO as a Service

External Data Protection Officer services for companies that need DPO expertise without full time recruitment. Regulatory interface, compliance monitoring, and board reporting.

04

Cross Border Data Transfers

Advisory on DPDPA cross border transfer restrictions, government notification requirements, and contractual mechanisms for international data flows. Particularly relevant for GCCs and multinational operations.

05

Consent Management

Consent architecture design, notice drafting, and consent lifecycle management. DPDPA requires specific, informed, and unconditional consent. We design systems that achieve this without disrupting user experience.

06

Data Breach Response

Breach notification to the Data Protection Board, data principal communication, forensic investigation coordination, and regulatory engagement. The response in the first 72 hours defines the outcome.

The TCL Framework applied

Technical. Commercial. Legal. On the same page.

Every engagement is read through three lenses at once, so the advice fits the technology, the commercial intent and the statute together.

Technical

Understanding data flows, processing activities, technology architecture, and system capabilities. Privacy implementation that ignores technical reality creates policy documents that nobody follows.

Commercial

Privacy compliance must integrate with business operations, not obstruct them. We design consent mechanisms, data retention policies, and processing frameworks that satisfy legal requirements while supporting business objectives.

Legal

DPDPA, 2023; the Digital Personal Data Protection Rules, 2025 (notified by MeitY on 13 November 2025, enforceable 13 May 2027, Consent Manager framework commencing 13 November 2026); IT Act, 2000; SPDI Rules, 2011; sectoral regulations (RBI, SEBI, IRDAI); EU GDPR for companies with EU exposure; and emerging Data Protection Board jurisprudence.

Context
Understanding Data Privacy.

India took seven years from the Supreme Court’s recognition of privacy as a fundamental right (Puttaswamy, 2017) to enacting comprehensive data protection legislation. The Digital Personal Data Protection Act 2023 represents a deliberate framework designed for Indian conditions while drawing on global best practices.

DPDPA applies to digital personal data processed within India and to processing outside India if it relates to offering goods or services to data principals in India. The scope is broad. Every company that collects personal data digitally, which means virtually every company, falls within the Act’s ambit.

The consent architecture under DPDPA is specific. Consent must be free, specific, informed, unconditional, and unambiguous. This is not a cookie banner exercise. It requires fundamental redesign of how businesses collect, process, and communicate about personal data. Consent notices must be in clear plain language. Purpose limitation is mandatory. Data minimisation is required.

Children’s data receives special protection. Processing personal data of children (under 18) requires verifiable parental consent. Targeted advertising directed at children is prohibited. Companies in ed tech, gaming, social media, and any sector serving younger audiences face specific compliance obligations.

Cross border data transfers are restricted to countries or territories notified by the central government. Until notifications are issued, businesses must assess their international data flows and implement contractual safeguards. For GCCs and multinational companies, this is a critical compliance area.

The Data Protection Board of India will enforce the Act. Penalties range up to INR 250 crore as the maximum penalty ceiling. The Board will adjudicate complaints, impose penalties, and develop enforcement jurisprudence.

Statutory framework

The framework we operate within.

The statutes, rules and regulators that govern this practice. We track every amendment, circular and ruling so the position you take today still holds tomorrow.

  • DPDPA, 2023
  • IT Act, 2000
  • SPDI Rules, 2011
  • RBI Data Localisation
  • SEBI Cybersecurity Framework
  • IRDAI Data Guidelines
Get in Touch
Regulatory landscape
The rules that shape the outcome.

DPDPA 2023 establishes a principles based framework. Key obligations for Data Fiduciaries include lawful processing with valid consent or legitimate use grounds, purpose limitation, data minimisation, accuracy, storage limitation, and security safeguards.

Data Principal rights include right to access information about processing, right to correction and erasure of personal data, right to grievance redressal, and right to nominate a representative. Data Fiduciaries must establish mechanisms to fulfil these rights within prescribed timelines.

Significant Data Fiduciaries (SDF) face additional obligations including Data Protection Officer appointment, periodic data audits, Data Protection Impact Assessments, and compliance with any additional conditions prescribed by the government. SDF classification will be based on volume and sensitivity of data processed, risk to data principal rights, and potential impact on national security.

The IT Act 2000 and SPDI Rules 2011 continue to apply alongside DPDPA for matters not covered by the new Act. Sectoral regulators (RBI, SEBI, IRDAI, TRAI) maintain their own data protection requirements that businesses must comply with in addition to DPDPA.

The Digital Personal Data Protection Rules, 2025, notified by MeitY in the Gazette on 13 November 2025, prescribe the detailed procedural architecture, consent management standards, breach notification timelines, cross border transfer mechanisms, Significant Data Fiduciary thresholds and DPIA cadence (Rules 12 and 13), Consent Manager registration, and Data Protection Board procedures. Substantive consent and breach obligations are enforceable from 13 May 2027; the Consent Manager framework commences 13 November 2026. Most provisions are now operational law on a defined transition runway, not a deferred mandate.

The AMLEGALS method
How we run the engagement.

The Vibe Data Privacy framework structures our DPDPA implementation approach. We begin with a comprehensive gap assessment that maps current data processing activities against DPDPA requirements.

Data mapping identifies what personal data is collected, from whom, for what purpose, where it is stored, who has access, and where it is transferred. This mapping forms the foundation of the compliance programme.

Consent architecture design addresses how consent is obtained, recorded, managed, and withdrawn. We design consent mechanisms that comply with DPDPA requirements while maintaining user experience quality.

Privacy notices, internal policies, data processing agreements, and cross border transfer mechanisms are drafted based on the gap assessment findings. Implementation support includes system configuration guidance, process redesign, and staff training.

Ongoing compliance involves periodic audits, DPIA for new processing activities, breach response readiness, and regulatory monitoring.

In practice
Practical guidance you can act on.

Begin with data mapping. You cannot comply with DPDPA if you do not know what personal data you process, where it is stored, and who has access. Data mapping is not a one time exercise. It must be updated as processing activities change.

Design consent mechanisms for specificity. DPDPA requires consent for each specified purpose. Blanket consent for unspecified future processing will not satisfy the Act. Purpose specific consent with clear granularity is required.

Establish a breach response protocol before a breach occurs. The time to develop a response plan is not during a breach. Pre established protocols, designated response teams, and template notifications enable rapid response when incidents occur.

Review vendor and processor agreements for DPDPA alignment. Data Fiduciaries are responsible for processing conducted by Data Processors on their behalf. Contractual obligations must flow through the processor chain.

Children’s data deserves immediate attention. If your business collects data from users under 18, verifiable parental consent mechanisms and advertising restrictions must be implemented now.

Sectors

Industries we serve in this practice.

TechnologyFinancial ServicesHealthcareE CommerceTelecommunicationsEducationManufacturingGCC Operations
Answers

What clients ask before they commit.

Short, direct, on the record.

01What is the maximum penalty under DPDPA?

The Schedule to the DPDPA sets graded penalty ceilings rather than a single fine. The highest is INR 250 crore for failing to take reasonable security safeguards that results in a personal data breach. It is up to INR 200 crore for failing to notify the Board or affected Data Principals of a breach, and up to INR 200 crore for breaching the obligations relating to children under Section 9. A Significant Data Fiduciary that defaults on its additional duties under Section 10 faces up to INR 150 crore, and other contraventions attract up to INR 50 crore. The Data Protection Board fixes the actual amount after an inquiry, weighing the nature, gravity, duration, and impact of the breach and any mitigation taken.

02Who is a Data Fiduciary under DPDPA?

Section 2(i) defines a Data Fiduciary as any person who, alone or with others, determines the purpose and means of processing personal data. The label attaches to the decision maker, not the systems operator, so a vendor that only processes data on your instructions is a Data Processor under Section 2(k). The duty is also extraterritorial under Section 3(b): an entity outside India is still a Data Fiduciary if it processes personal data in connection with offering goods or services to Data Principals in India. In a group structure, the entity that actually sets the purpose carries the statutory obligations, so mapping that is the first step.

03What are Data Principal rights under DPDPA?

The Act confers four rights, each anchored to a section. Section 11 is the right to access a summary of the personal data being processed and the identities of those with whom it has been shared. Section 12 is the right to correction, completion, updating, and erasure. Section 13 requires every Data Fiduciary and Consent Manager to publish a grievance redressal mechanism and respond within the period to be prescribed. Section 14 is the right to nominate another individual to exercise these rights in the event of death or incapacity. A Data Principal must first approach the Data Fiduciary before escalating to the Board.

04How does DPDPA affect cross border data transfers?

Section 16 of the DPDPA follows a negative list model. Personal data may be transferred to any country or territory except those the Central Government specifically restricts by notification. No restricted list has been notified yet, and sector regulators such as the RBI may impose stricter localisation, so businesses should map every cross border data flow and build contractual safeguards now.

05Is consent required for all processing under DPDPA?

Consent under Section 6 must be free, specific, informed, unconditional, and unambiguous through a clear affirmative action, limited to the data necessary for the stated purpose, paired with a notice under Section 5, and withdrawable as easily as it was given. Consent is not the only basis. Section 7 lists certain legitimate uses that operate without fresh consent, including a purpose for which the Data Principal has voluntarily provided data, State functions and benefits, compliance with law or court orders, medical emergencies, disaster response, and specified employment purposes. Selecting the correct ground for each processing activity is the core design decision.

06What is the Vibe Data Privacy framework?

Vibe Data Privacy is our implementation methodology, not a document set. It sequences the work to the statutory transition dates: building consent and notice architecture and data maps now, readying integration with the Consent Manager framework that commences on 13 November 2026, and reaching full operational compliance before the Act is enforceable on 13 May 2027. The system is built to run from day one and to absorb each tranche of the DPDP Rules, 2025 as it takes effect, rather than being assembled as a one time project.

07Do companies need to appoint a DPO under DPDPA?

Only a Significant Data Fiduciary must appoint a Data Protection Officer. Under Section 10 the Central Government designates an entity, or a class of entities, as a Significant Data Fiduciary on factors such as the volume and sensitivity of personal data processed and the risks to Data Principal rights, electoral democracy, and State security. That DPO must be based in India, be responsible to the board or governing body, and be the point of contact for grievance redressal. Every other Data Fiduciary should still designate a responsible privacy function and a contact for Section 13 grievances, even though the statutory DPO duty does not bind them.

The difference
Why clients bring this work to AMLEGALS.

We have been working on Indian data protection since the Justice Srikrishna Committee report in 2018. Our understanding of DPDPA is not theoretical. It is built on years of engagement with the evolving framework.

The Vibe Data Privacy framework is not a compliance checklist. It is a governance system designed by practising lawyers who understand both the legal requirements and the operational realities of implementation.

Our multi disciplinary approach integrates data privacy with employment law (employee data), corporate law (governance obligations), technology law (AI and automated processing), and regulatory compliance (sectoral requirements). DPDPA does not exist in isolation, and neither does our advisory.

Where we practise

Available across our offices.

Engage AMLEGALS

Bring us the matter before the position hardens.

The strongest outcomes are built into the strategy at the start, not recovered from disputes later.

Get in Touch[email protected]
Engagements are conducted under attorney work product and privilege.